The quantum one-time pad in the presence of an eavesdropper 
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A classical one-time pad allows two parties to send private messages over a public classical channel 
- an eavesdropper who intercepts the communication learns nothing about the message. A quantum 
one-time pad is a shared quantum state which allows two parties to send private messages or 
private quantum states over a public quantum channel. If the eavesdropper intercepts the quantum 
communication she learns nothing about the message. In the classical case, a one-time pad can be 
created using shared and partially private correlations. Here we consider the quantum case in the 
presence of an eavesdropper, and find the single letter formula for the rate at which the two parties 
can send messages using a quantum one-time pad. 



Introduction. If two parties wish to send private messages 
over a pubhc channel, then they need to share a one-time 
pad or key - perfectly correlated and private strings which 
are as long as the messages they want to send. Often, the 
strings they share are not perfectly correlated or not com- 
pletely secure e.g. if produced through a channel subject 
to wire-tapping. However, they can perform a protocol 
over the public channel to reconcile the errors in their 
strings, and amplify the privacy, so that they share a 
shorter string which is perfectly correlated and private. 
Given access to many independent realizations of some 
distribution Pxyz shared between the two parties, Alice 
(X) and Bob (Y), and an eavesdropper Eve (Z), the rate 
C{PxYz) at which Alice can send private messages to 
Bob was derived in [T], based on a celebrated result due 
to Wyner and Csiszar & Korner [21 13] . It reads 

CiPxYz)= sup I{V ■.Y\U)-I{V : Z\U), (1) 

with the conditional mutual information I{V : Y\U) :— 
HiVU) + H{YU) - H{VYU) - H{U), the Shannon en- 
tropy H{X) :— — Px=x ^ogPx=x and the supremum 
taken over the Markov chain X —i' U V. 

The quantum analog of this is three parties, Alice Bob 
and Eve, who instead of sharing a classical distribution, 
share a quantum state ipABE- Alice then wishes to send 
private messages or private quantum states to Bob over a 
quantum public channel i.e. an insecure quantum channel 
where the eavesdropper might intercept the sent states. 
The question of how many private messages can be sent 
using a shared state was posed and answered by Schu- 
macher and Westmoreland ^ in the case where initially 
the eavesdropper is uncorrelated with the two parties 
(ipABE = '4'AB ® V'-e): and the sent messages are clas- 
sical. They proved that the rate of classical private mes- 
sages which can be sent is given by the quantum mutual 
information I{A : B) := S[A) + S{B) - S[AB), with 
S [A) — — Tr PA log PA the von Neumann entropy. 

Here, we consider the general case where the two par- 
ties want to protect themselves against an eavesdropper 
who might be correlated with their state. We also ex- 



tend the result to the case where the parties wish to send 
encrypted quantum states to each other, i.e. any input 
state TpK in dimension log d is encrypted so that during 
transmission it is indistinguishable from the maximally 
mixed state (I/logd). This makes the scenario a more 
fully quantum version of the classical situation. We will 
find, in surprising analogy with the classical case, that 
the rate Q that Alice can send encrypted quantum states 
to Bob using the state ipABE is 

Q{^abe)^ sup l{I{a:B\a)^I{a:E\a)), (2) 

with the conditional mutual information I{a : B\a) := 
S{aa)-\-S{Ba) — S{aBa) — S{a) and the supremum taken 
over channels which maps ipA to paa- Using simple en- 
tropic identities, one sees that the right hand side of Eq. 

tis equivalent to ^{I{a : Ba) — I {a : Ea)), a quantity 
ich has made an early appearance in Ref. [5] as the 
distillable entanglement assisted by symmetric-side chan- 
nels. Note that this optimisation is over single copies of 
the state ipAB e making the result of Equation ^ single- 
letter. This is rare in quantum information theory, where 
usually the solutions are intractable, requiring optimisa- 
tion over arbitrary many copies of the state. 

Statement of the problem. The scenario is as follows: 
Alice and Bob share many copies of a quantum sys- 
tem in a (generally mixed) state ipAB and since we 
want to protect against an arbitrary eavesdropper, we 
should imagine that Eve might have any state such that 
Tr_E \ip)ABE{'ip\ABE = ipAB, i-S. the eavesdropper might 
hold a purification of Alice and Bob's state. Alice is given 
a message, either classical or quantum, which she should 
communicate to Bob. She is able to implement arbitrary 
quantum operations on her share V'a" '^^ state and 
any local ancillas, and she then sends a quantum system 
in state pa to Bob down an insecure quantum channel, 
which might be intercepted by Eve. In the case where 
Eve intercepts pa, she should learn an arbitrarily small 
amount of information about the message. In the case 
where Bob receives the state, he should be able to re- 
cover the message with probability converging to one in 
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the limit of large n. More formally: 

Deflnition 1 (private state transfer) Consider the 
message state '^kb. shared between the sender Alice 
and a reference. Let Alice, Bob and Eve share the 
state I'iJjabe)'^" o,''^d have further registers a, a and 
b for Alice and Bob, respectively. Consider Alice's 
local operation (a completely positive trace preserving 
map) A4a '■ — > aa and Bob's local operation 
Mb ■ Boi — > b. Then a private state transfer protocol 
for KR has error 5 and security parameter e, if 



\\pbR.--^KR\\l <S, 



(3) 



Eq. ([S]) ensures that Eve does not learn anything from 
the message being sent by intercepting the channel. 

Mutual independence. A natural quantity which will arise 
in our discussion is the so-called mutual independence 
I A fH], which we now define. Consider some sequence 
of maps A^"', from a restricted class of operations A, 
applied to subsystem AB with the property that 



is such that 



An) 

Pab 



' Pe I 



(9) 



(10) 



\pREa - PR® PEaWl < £, 



where 



and 



PRKaaBE 



MAi^KR^^'Ze)^ 



PRKabE ■■= Mb o MAi'i'KR ® ^ABE 



(4) 



(5) 



(6) 



For classical messages we let ^ka, — ^ J2k \kk){kk\KR 
and define the optimal rate C{pab) as the ratio of \og{d) 
per n, for the largest d for which a private state transfer 
protocol is possible, with negligible error for asymptotic 
large n. 

For the optimal rate of quantum messages, in turn, 
we set \'^kr) = ^Y.k \k,k)KR and define Q{pab) as 
the asymptotic optimal ratio of log{d)/n, over all private 
state transfer protocols. 

Schumacher- Westmoreland scheme. To prove Eq. ([2]), 
we will make use of the result from [4 for the one-time- 
pad in the case where the message is classical and the 
state PAB shared by Alice and Bob is not correlated with 
Eve. The main point of the argument is the construction 
of a set of quantum operations { £k,n} on Alice's system 
and a probability distribution {pk,n} such that in the 
limit of large n, 

-x{{Pk,n,Sk,n ® M^ab)}) ^ HA ■■ B)p, (7) 



and 



Then 

Definition 2 (mutual independence) Given a state 
ipAB, consider a protocol from a class of operations A 
for extracting mutual independence V — A*^") . Define the 
rate 



R{V,pab) ■.^\immil-I{A: B 



(11) 



n^oo 2'' ^A"WS)' 

Then we define the mutual independence rate of ipAB o,s 



Ia{pab) supR{V,tpAB)- 
V 



(12) 



The quantity /a can be thought of as the rate of pri- 
vate mutual information that can be extracted from a 
state under the class of operations A. As an immediate 
consequence of Schumacher- Westmoreland construction 
and Definition [2j we find that C('0as) is lower bounded 
by A-locc(V'ab), where 1-LOCC is the class of local op- 
erations assisted by one-way classical communication. It 
turns out, perhaps surprisingly, that one-way LOCC is 
not the right class of operations to be considered here! 

As we show, the rate of private messages that can be 
sent is given by IssO^ab), the mutual independence when 
A is the class of local operations assisted by a symmetric- 
side channel. This is a channel given by an isometry 
followed by partial trace ipA — ^ T^t^e Pbe such that psE 
is unchanged after interchanging system E with system 
B. In [9 , it is shown that 

Issi^AB)= sup l{I{a:B\a)-Iia:E\a)) (13) 



-X{{Pk.n,£k,n{i'T)}^0, 



(8) 



where x({gfc,crfc}) := S{J2k<lkcrk) - Y^klk^icrk) is the 
Holevo information [S]. By the HSW theorem [7] Alice 
can then send secret classical messages to Bob at a rate 
I[A : B) by applying one of the £k,n operations to her 
part of the state and sending it down the insecure chan- 
nel. Eq. ([?]) guarantees that Bob is able to decode Alice's 
message in the case the channel is not tampered, while 



where the supremum is taken over channels A ^ aa. In 
[S], we prove as well that this same quantity is equal to 
a weaker variant of mutual independence, in which Eq. 



( 10 1 is replaced by the weaker criteria 



\p'aI 



[n] 

Pa 



'Pe \ 



(14) 



Main result. We now show 
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Theorem 3 



(15) 



Proof We begin by considering C('0ab), i-e. Alice 
wishes to send Bob a private classical message, and will 
then prove the result for Q{iPab)- To see that Iss{'^ab) > 
C{'fpAB)/'2, consider an optimal protocol for C{tpAB), 
which can always be taken to be as follows: Alice ap- 
plies the quantum operation £k,n <8> Ib_e with probability 
Pk^n, generating the ABE ensemble {pk,n, £k,ni'4'ABE)}, 
with Pa = £k,ni'4'A) being sent to Bob, and k the private 
message to be communicated. Then we have 

C{iPab) = lim -x(Pfc,«,'£fe,n fXi Is(Vms))- (16) 

n— i-oo n 

Consider the state after Alice's optimal local operation 
Pkabe ■= ^Pkm\k)K{k\ (X" (ffe,„ «) Ibe) {'^Pabe) (17) 



Then, from Eq. ( 13 ) we get 



Issi^AB) > I {I{K : Ba)p - I{K : Ea)p) . (18) 

But I{K : Ba)p = x{Pk,n,£k,n » Ib(V'ab)) and I{K : 
Ea)^ — with increasing n, since Ek,n ® ^Eii^AE) must 
satisfy Condition Q and be asymptotically independent 
of k. Therefore we get IssO'ab) > C{iPab)/2. 

Next we need to show that Iss{iPab) < C{'iIjab)/2. 
First, suppose that on top of the insecure ideal quantum 
channel Alice and Bob have access to a symmetric-side 
channel. Then they could distill /ss(V'ab) of mutual in- 
dependence, using the symmetric side-channel. They are 
now in the situation considered by Schumacher and West- 
moreland, who showed that in the case where Alice and 
Bob are initially product with Eve, C(V'ab) = I {A : B). 
Thus here we would get C{'iPab) = 2Iss{iPab) of secure 
classical communication. 

Of course in the setting we are considering, they do not 
have access to the symmetric side-channel. However sup- 
pose Alice simulates locally the side-channel, sends the 
part that would go to Bob through the insecure quan- 
tum channel and traces out the part which would go to 
Eve. Then, on one hand, if Eve does not intercept the 
channel, Bob will get his share of what is send through 
the symmetric side-channel and they can distill at least 
IssiipAB) of weak mutual independence and achieve the 
rate C = 2Iss{^ab)- he. if Eve doesn't get her share 
of the output a' of the symmetric side-channel Alice and 
Bob can not be in a worse position than if she did receive 
it. On the other hand, if Eve intercepts the state sent 
through the insecure channel, then this is the same state 
she would get in the case they were connected by a sym- 
metric side-channel (because what goes to Bob and Eve 
is symmetric), so Eve must still be decoupled from Alice's 
final state. This is so because Alice and Eve's state must 



be product in the end of the protocol for distilling mutual 
independence. Thus she gets no information about pK- 

This proves C = 2I,,{iI:ab)- That QiipAB) = 
C(?/'ab)/2 comes from the fact that instead of using the 
quantum one-time pad to send private messages, Alice 
and Bob could just as well use it to share a classical pri- 
vate key ^ \kk){kk\AB/<P ■ This key can then be used to 
encrypt quantum states which can then be sent through 
the insecure quantum channel. 

It is known [TDHT^ that the amount of key required 
to encrypt a state of dimension log d is given by 2 log d. 
In more detail. The procedure for encrypting a quan- 
tum state is for Alice to perform randomizing unitaries 
Sfc \k){k\®Uk controlled on the classical key where Uk is 
a complete set of unitaries acting on the state she wants 
to encrypt. Bob can then decrypt the quantum state by 
performing C/^. E.g. to encrypt a qubit, Alice acts one 
of the four Pauli operators I, a^jCTy, with the choice of 
which operator to act decided by two bits of key. □ 

Note that when we are using the key to encrypt quantum 
states, we can modify the protocol slightly to include an 
authentication step [HlIIl] so that if at some later point. 
Bob is allowed at least one bit of backwards communica- 
tion, the key can be recycled [13l [15] and used to encrypt 
more quantum states. The bit of back-communication is 
required to signal to Alice that the protocol succeeded 
(i.e. that Eve didn't disturb the sent states too much) 
and is not part of the orignal scenario considered here. 
However, in such a case, one can prove that the one-time 
pad can be recycled in the case where we are using it to 
send quantum states [T5] ! 

A direct protocol. We can also construct a different pro- 
tocol which encrypts quantum states directly using the 
one-time pad without first using it to create a classical 
key. This results in a saving of log d uses of the public 
quantum channel. 

Recall that to create a classical key, Alice applies 
^k ^ Ib£;(V'aSe) conditioned on a random classical vari- 
able k. To encrypt a quantum state directly, Alice ap- 
plies £k coherently, controlled on her half K of the en- 
tangled state i}KR — ^Pk\k)R\k)K, i-e. she performs 
the operation J2\k}{k\K <8' Vk, where Vk is an isomet- 
ric extension of the operation £k- This produces the 
total state I*) = J2Pk\k)R\k)K\'^'')aa'BE where p^, is 
the local environment produced under the action of map 
£k and pa is its output. Alice then sends pa to Bob, 
who can then coherently decode p'^B producing the state 
J2Pk\k)R\k)K\k)B'\'4'°)aa'BE- The protocol is thus far 
secure, because after tracing out system K, the state 
PRaE is exactly the same as in the case of sending a clas- 
sical message, and thus satisfies the privacy condition 

Since the state Y.Pk\k)R\k)K\k)B' has S{K\B') = 0, 
Alice can merge [Tn| her share {K) of the state to Bob 
by performing a complete measurement in a random ba- 
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sis and communicating the result to Bob. In [T^ it was 
shown that S{K\B') is the amount of EPR pairs that 
is needed to send Ahce's share K of \iP)kb'R by per- 
forming a measurement and if S{K\B') — 0, then no 
additional EPR pairs are needed. Alice's merging mea- 
surement completely decouples the K system from the 
reference, with the result that if Alice sends the remain- 
der of her systems to Bob, the state must have been 
transmitted. She could also perform a measurement in 
the Fourier basis and communicate the result. Since the 
measurement is complete, the number of measurement 
outcomes is just nH{K), and because we wish Eve to 
learn no information about the state, Alice needs to use 
an additional nH{K) of the quantum one-time pad to 
encrypt the measurement result and send it. 

Alice's measurement result is independent of the final 
state (as in teleportation [T^) so we can do the measur- 
ing and sending coherently, which will result in nH{K) 
EPR pairs being created [15] in the case where Eve does 
not interfere with the channel. However, these EPR pairs 
can only be used at some later time if Bob verifies that he 
received them using an authentication scheme involving 
at least one bit of back-communication [14]. Note that 
if R is held by Alice, both protocols for sending quan- 
tum states can also be used to create secure EPR pairs 
between Alice and Bob. 

The direct protocol for encrypting quantum states uses 
logo? less uses of the channel than if we first create a 
classical key, and then send encrypted quantum states. 
As a result, logd less bits of key is left over if we are 
allowed back communication at some later point in time 
to recycle the key. This is in keeping with a fundamental 
law of privacy [TS] relating sent qubits (SQ), the change 
in the amount of shared key {SK), and messages sent 
{SM) (whether they be classical or quantum): 

SK <5Q- 5M . (19) 

It is also worth noting the connection between merg- 
ing, and encryption of the quantum states in this case. 
Encrypting the quantum state means that Alice's share 
of \^)kr. should be decoupled from the reference R be- 
fore being sent down the channel. At the same time, 
this decoupling of the reference from Alice's laboratory 
is the condition for Alice to succeed in sending her share 

[Bin]- 

Approximate encryption with half key. As we have noted, 
the condition for decoupling system K from the reference 
R is that 2 log d unitaries are applied. It turns out there 
is a weaker form of quantum state encryption, where only 
slightly more than log d bits of key are used [5D] . In such a 
case, the protocol is secure in the sense that if a measure- 
ment were to be performed on the reference system, then 
an eavesdropper would learn an arbitrary small amount 
about the measurement result. We say that the level 
of security we obtain is not composable [211 122] , meaning 



that if the reference system remains unmeasured, and the 
eavesdropper does not measure the parts of the quantum 
system she intercepted, then we may loose security if we 
use the encrypted state in another protocol. 

We can easily construct an encryption scheme of this 
sort, by adapting the first protocol we presented, so that 
instead of choosing a complete set of 2 log d unitaries 
Uk which act on the state we are encrypting, we choose 
just over logd unitaries at random from the Haar mea- 
sure |23| . Such a set is called randomizing rather than 
completely randomizing. It is unclear whether the direct 
protocol can be adapted in some way for approximate en- 
cryption. This is because the protocol uses merging, and 
thus the state to be sent must be completely decoupled 
from the reference system. 

Discussion. There are essentially two ways we have used 
the quantum one-time pad. One way is to use ipAB to 
obtain a correlated and private key, and then use this key 
to encrypt messages (quantum or classical). The second, 
is a generalisation of Schumacher and Westmoreland [4] 
where the one-time is used directly to encrypt the mes- 
sage. This also holds true in the case of classical distri- 
butions. 

Our results can also be applied to channel coding, 
where one has an authenticated noisy quantum channel, 
which produces the state tpABE, and a public quantum 
channel. Here we have just taken ipABE as a static re- 
source, but we could have just imagined that it was pro- 
duced by a channel from Alice to Bob and Eve. This 
is perhaps closest to a quantum version of the Csiszar- 
Korner situation and gives a physical application to the 
results of [3 [HI [M] , about state and channel capacities 
assisted by a symmetric-side channel. 

We should thus think of a symmetric channel not as an 
exotic side-channel which can be used in conjunction with 
a standard quantum channel. Rather, results which make 
use of a symmetric channel can be applied to the situation 
where an eavesdropper might intercept the quantum sys- 
tems that are sent down an insecure channel. This gives 
further motivation to the notion of the public quantum 
channel as emphasised in [S]. 
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